W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Giorgio Maone <g.maone@informaction.com>
Date: Wed, 16 Feb 2011 12:30:37 +0100
Message-ID: <4D5BB55D.1020008@informaction.com>
To: "sird@rckc.at" <sird@rckc.at>
CC: Boris Zbarsky <bzbarsky@mit.edu>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
sird@rckc.at wrote, On 16/02/2011 5.24:
>
>> And one more thing.  If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
> because that's an XML parser.
> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified

Not necessarily.

Try

var doc = docImpl.createDocumentType("html", "", ""));
var body = doc.createElement("body");
body.innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"


NoScript uses tricks like these to take in account out fancy and forgiving 
HTML parsing in its XSS filter :)

Cheers
-- G
Received on Wednesday, 16 February 2011 11:32:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 11:32:43 GMT